Well,... when do you use these when handling with ASM?
I came to a code which is unhackable with everything I know. :-\
- adress moves every match
- pointer doesn´t find anything
- ASM read/write gives a static instruction, which is executed for multiple adresses, which edited with direct RAM write will crash the game and I can´t find a register indicating if the ASM is refering to the right adress or not!
- near this adress, all the other adresses around randomly change it´s value! (F6 code may be useless aswell since I can´t grab a template)
Is there generally a chance to get this hacked with call stacks or step into/out/ etc.?
If someone wishes, I´ll post disassembly and function (+ call stacks) later.
Breakpoint Read:
Function
[spoiler]
806E586C: 80040000 lwz r0,0(r4)
806E5870: 90030000 stw r0,0(r3)
806E5874: 4E800020 blr
[/spoiler]
Call Stack:
806E586C
(see function above)
806E1B38 (wtf, it gave an error on copy function again -> see post below)
[spoiler]
806E1B38: 48003D35 bl 0x806e586c
806E1B3C: 7F43D378 mr r3,r26
806E1B40: 38810150 addi r4,r1,336
806E1B44: 48003C99 bl 0x806e57dc
806E1B48: 80810150 lwz r4,336(r1)
806E1B4C: 80010154 lwz r0,340(r1)
806E1B50: 908100B0 stw r4,176(r1)
806E1B54: 900100B4 stw r0,180(r1)
806E1B58: 908100A8 stw r4,168(r1)
806E1B5C: 900100AC stw r0,172(r1)
806E1B60: 908101D0 stw r4,464(r1)
806E1B64: 900101D4 stw r0,468(r1)
806E1B68: 80610244 lwz r3,580(r1)
806E1B6C: 94830008 stwu r4,8(r3)
806E1B70: 800101D4 lwz r0,468(r1)
806E1B74: 90030004 stw r0,4(r3)
806E1B78: 80610244 lwz r3,580(r1)
806E1B7C: 38030008 addi r0,r3,8
806E1B80: 90010244 stw r0,580(r1)
806E1B84: 4BFFEEC8 b 0x806e0a4c
806E1B88: 3C6080B8 lis r3,-32584
806E1B8C: 80632720 lwz r3,10016(r3)
806E1B90: 1C1A0058 mulli r0,r26,88
806E1B94: 7C630214 add r3,r3,r0
806E1B98: 83A30028 lwz r29,40(r3)
806E1B9C: 4BFFFF30 b 0x806e1acc
806E1BA0: 7F43D378 mr r3,r26
806E1BA4: 8081023C lwz r4,572(r1)
806E1BA8: 4BFF7D8D bl 0x806d9934
806E1BAC: 7C7D1B78 mr r29,r3
806E1BB0: 7F43D378 mr r3,r26
806E1BB4: 7FA4EB78 mr r4,r29
806E1BB8: 4BFFA04D bl 0x806dbc04
806E1BBC: 2C030000 cmpwi r3,0
806E1BC0: 40820028 bne- 0x806e1be8
806E1BC4: 80610244 lwz r3,580(r1)
806E1BC8: 38030008 addi r0,r3,8
806E1BCC: 90010244 stw r0,580(r1)
806E1BD0: 80610238 lwz r3,568(r1)
806E1BD4: 48003CB1 bl 0x806e5884
806E1BD8: 90610238 stw r3,568(r1)
806E1BDC: 38030002 addi r0,r3,2
806E1BE0: 90010238 stw r0,568(r1)
806E1BE4: 480034D4 b 0x806e50b8
806E1BE8: 80610238 lwz r3,568(r1)
806E1BEC: 48003C99 bl 0x806e5884
806E1BF0: 90610238 stw r3,568(r1)
806E1BF4: A8830000 lha r4,0(r3)
806E1BF8: 38030002 addi r0,r3,2
806E1BFC: 90010238 stw r0,568(r1)
806E1C00: 5485043E rlwinm r5,r4,0,16,31
806E1C04: 7F43D378 mr r3,r26
806E1C08: 7FA4EB78 mr r4,r29
806E1C0C: 4BFF8699 bl 0x806da2a4
806E1C10: 908101CC stw r4,460(r1)
806E1C14: 906101C8 stw r3,456(r1)
806E1C18: 80810244 lwz r4,580(r1)
806E1C1C: 94640008 stwu r3,8(r4)
806E1C20: 800101CC lwz r0,460(r1)
806E1C24: 90040004 stw r0,4(r4)
[/spoiler]
806E7CDC (this time, copy function did work)
[spoiler]
806E7BB8: 9421FFD0 stwu r1,-48(r1)
806E7BBC: 7C0802A6 mflr r0
806E7BC0: 90010034 stw r0,52(r1)
806E7BC4: 39610030 addi r11,r1,48
806E7BC8: 4B9762B5 bl 0x8005de7c
806E7BCC: 7C7B1B78 mr r27,r3
806E7BD0: 7C9C2378 mr r28,r4
806E7BD4: 3C808094 lis r4,-32620
806E7BD8: 38849320 subi r4,r4,27872
806E7BDC: 3860FFFF li r3,-1
806E7BE0: 4CC63182 crclr 6,6
806E7BE4: 4BC8C27D bl 0x80373e60
806E7BE8: 7F63DB78 mr r3,r27
806E7BEC: 48002AD1 bl 0x806ea6bc
806E7BF0: 2C1B0001 cmpwi r27,1
806E7BF4: 4082000C bne- 0x806e7c00
806E7BF8: 38000001 li r0,1
806E7BFC: 48000008 b 0x806e7c04
806E7C00: 38000001 li r0,1
806E7C04: 3FA080B8 lis r29,-32584
806E7C08: 807D2718 lwz r3,10008(r29)
806E7C0C: 577E103A rlwinm r30,r27,2,0,29
806E7C10: 7C63F02E lwzx r3,r3,r30
806E7C14: 7C1C0214 add r0,r28,r0
806E7C18: 54002036 rlwinm r0,r0,4,0,27
806E7C1C: 7C830214 add r4,r3,r0
806E7C20: A0640004 lhz r3,4(r4)
806E7C24: 38030001 addi r0,r3,1
806E7C28: B0040004 sth r0,4(r4)
806E7C2C: 1C1B4320 mulli r0,r27,17184
806E7C30: 3C6080B9 lis r3,-32583
806E7C34: 3863D298 subi r3,r3,11624
806E7C38: 7FE30214 add r31,r3,r0
806E7C3C: 389F0320 addi r4,r31,800
806E7C40: 1C1B0014 mulli r0,r27,20
806E7C44: 3C6080B9 lis r3,-32583
806E7C48: 38635908 addi r3,r3,22792
806E7C4C: 7C630214 add r3,r3,r0
806E7C50: 90830010 stw r4,16(r3)
806E7C54: 38000000 li r0,0
806E7C58: 3C6080B9 lis r3,-32583
806E7C5C: 38635940 addi r3,r3,22848
806E7C60: 7C03F12E stwx r0,r3,r30
806E7C64: 2C1B0001 cmpwi r27,1
806E7C68: 4082000C bne- 0x806e7c74
806E7C6C: 38000001 li r0,1
806E7C70: 48000008 b 0x806e7c78
806E7C74: 38000001 li r0,1
806E7C78: 807D2718 lwz r3,10008(r29)
806E7C7C: 7C63F02E lwzx r3,r3,r30
806E7C80: 7C1C0214 add r0,r28,r0
806E7C84: 54002036 rlwinm r0,r0,4,0,27
806E7C88: 7C630214 add r3,r3,r0
806E7C8C: A343000E lhz r26,14(r3)
806E7C90: 2C1A0000 cmpwi r26,0
806E7C94: 418200CC beq- 0x806e7d60
806E7C98: 7F63DB78 mr r3,r27
806E7C9C: 7F44D378 mr r4,r26
806E7CA0: 4BFEFAF5 bl 0x806d7794
806E7CA4: 7C791B78 mr r25,r3
806E7CA8: 7F63DB78 mr r3,r27
806E7CAC: 7F44D378 mr r4,r26
806E7CB0: 4BFF3569 bl 0x806db218
806E7CB4: 83430000 lwz r26,0(r3)
806E7CB8: 7F63DB78 mr r3,r27
806E7CBC: 7F84E378 mr r4,r28
806E7CC0: 7F25CB78 mr r5,r25
806E7CC4: 4BFF2FE1 bl 0x806daca4
806E7CC8: 7F63DB78 mr r3,r27
806E7CCC: 7F24CB78 mr r4,r25
806E7CD0: 7F45D378 mr r5,r26
806E7CD4: 4BFFE679 bl 0x806e634c
806E7CD8: 7F63DB78 mr r3,r27
806E7CDC: 4BFF8C8D bl 0x806e0968
806E7CE0: 7C641B78 mr r4,r3
806E7CE4: 7F63DB78 mr r3,r27
806E7CE8: 4BFF1E6D bl 0x806d9b54
806E7CEC: 809F0328 lwz r4,808(r31)
806E7CF0: 807F032C lwz r3,812(r31)
806E7CF4: 3803FFFF subi r0,r3,1
806E7CF8: 28000004 cmplwi r0,4
806E7CFC: 4080FF68 bge+ 0x806e7c64
806E7D00: 2C000000 cmpwi r0,0
806E7D04: 40820010 bne- 0x806e7d14
806E7D08: 7F63DB78 mr r3,r27
806E7D0C: 4BFF1E49 bl 0x806d9b54
806E7D10: 4BFFFF54 b 0x806e7c64
806E7D14: 28000002 cmplwi r0,2
806E7D18: 41810010 bgt- 0x806e7d28
806E7D1C: 7F63DB78 mr r3,r27
806E7D20: 4BFEE9D5 bl 0x806d66f4
806E7D24: 4BFFFF40 b 0x806e7c64
806E7D28: 8804FFFF lbz r0,-1(r4)
806E7D2C: 2C000000 cmpwi r0,0
806E7D30: 4082FF34 bne+ 0x806e7c64
806E7D34: A064FFFC lhz r3,-4(r4)
806E7D38: 2C030000 cmpwi r3,0
806E7D3C: 41820010 beq- 0x806e7d4c
806E7D40: 3803FFFF subi r0,r3,1
806E7D44: B004FFFC sth r0,-4(r4)
806E7D48: 4BFFFF1C b 0x806e7c64
806E7D4C: 3864FFFC subi r3,r4,4
806E7D50: 38800010 li r4,16
806E7D54: 7F65DB78 mr r5,r27
806E7D58: 4BFE9955 bl 0x806d16ac
806E7D5C: 4BFFFF08 b 0x806e7c64
806E7D60: 7F63DB78 mr r3,r27
806E7D64: 7F84E378 mr r4,r28
806E7D68: 4BFF1DED bl 0x806d9b54
806E7D6C: 7F63DB78 mr r3,r27
806E7D70: 3C8080B8 lis r4,-32584
806E7D74: 80842720 lwz r4,10016(r4)
806E7D78: 1C1B0058 mulli r0,r27,88
806E7D7C: 7C840214 add r4,r4,r0
806E7D80: 80840030 lwz r4,48(r4)
806E7D84: 4BFF361D bl 0x806db3a0
806E7D88: 1C1B4320 mulli r0,r27,17184
806E7D8C: 3C6080B9 lis r3,-32583
806E7D90: 3863D298 subi r3,r3,11624
806E7D94: 7C630214 add r3,r3,r0
806E7D98: 38030320 addi r0,r3,800
806E7D9C: 90030010 stw r0,16(r3)
806E7DA0: 39610030 addi r11,r1,48
806E7DA4: 4B976125 bl 0x8005dec8
806E7DA8: 80010034 lwz r0,52(r1)
806E7DAC: 7C0803A6 mtlr r0
806E7DB0: 38210030 addi r1,r1,48
806E7DB4: 4E800020 blr
[/spoiler]
Registers
[spoiler] CR:80000888 XER:00000000 CTR:806E1AB8 DSIS:00400000
DAR:81362E64 SRR0:806E586C SRR1:00009032 LR:806E1B3C
r0:00000006 r1:900EA0F8 r2:802459C0 r3:900EA248
r4:81362E64 r5:00002464 r6:00129546 r7:813502C0
r8:000012BA r9:81362E60 r10:81362E60 r11:900EA0D8
r12:00000000 r13:80244680 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:00000000
r20:0000002A r21:81360200 r22:808A8BE8 r23:809389C0
r24:80B82730 r25:80B92730 r26:00000000 r27:00000000
r28:00001134 r29:00000024 r30:00007F44 r31:00003188
f0:FFC00000 f1:5146AAFE f2:3E8ECBAE f3:3E8ECBAE
f4:3F800000 f5:3E8ECBAE f6:3AE61BA9 f7:BE1D513D
f8:BEF7D5B4 f9:BEE64E08 f10:BF4B36CF f11:00000000
f12:3F0965C6 f13:BF1CDC42 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:BF800000 f30:00000000 f31:3F800000[/spoiler]
Breakpoint Write:
function:
[spoiler]806DB470: 9421FFF0 stwu r1,-16(r1)
806DB474: 7C0802A6 mflr r0
806DB478: 90010014 stw r0,20(r1)
806DB47C: 93E1000C stw r31,12(r1)
806DB480: 93C10008 stw r30,8(r1)
806DB484: 7C661B78 mr r6,r3
806DB488: 7CBF2B78 mr r31,r5
806DB48C: 2C040000 cmpwi r4,0
806DB490: 418200C8 beq- 0x806db558
806DB494: 3CA080B8 lis r5,-32584
806DB498: 80A52718 lwz r5,10008(r5)
806DB49C: 5460103A rlwinm r0,r3,2,0,29
806DB4A0: 7CA5002E lwzx r5,r5,r0
806DB4A4: 2C030001 cmpwi r3,1
806DB4A8: 38002464 li r0,9316
806DB4AC: 40820008 bne- 0x806db4b4
806DB4B0: 38001464 li r0,5220
806DB4B4: 7C040214 add r0,r4,r0
806DB4B8: 54002036 rlwinm r0,r0,4,0,27
806DB4BC: 7FC50214 add r30,r5,r0
806DB4C0: 809E0004 lwz r4,4(r30)
806DB4C4: 801E0008 lwz r0,8(r30)
806DB4C8: 540306FE rlwinm r3,r0,0,27,31
806DB4CC: 3803FFFF subi r0,r3,1
806DB4D0: 28000004 cmplwi r0,4
806DB4D4: 40800060 bge- 0x806db534
806DB4D8: 2C000000 cmpwi r0,0
806DB4DC: 40820010 bne- 0x806db4ec
806DB4E0: 7CC33378 mr r3,r6
806DB4E4: 4BFFE671 bl 0x806d9b54
806DB4E8: 4800004C b 0x806db534
806DB4EC: 28000002 cmplwi r0,2
806DB4F0: 41810010 bgt- 0x806db500
806DB4F4: 7CC33378 mr r3,r6
806DB4F8: 4BFFB1FD bl 0x806d66f4
806DB4FC: 48000038 b 0x806db534
806DB500: 8804FFFF lbz r0,-1(r4)
806DB504: 2C000000 cmpwi r0,0
806DB508: 4082002C bne- 0x806db534
806DB50C: 3864FFFC subi r3,r4,4
806DB510: A084FFFC lhz r4,-4(r4)
806DB514: 2C040000 cmpwi r4,0
806DB518: 41820010 beq- 0x806db528
806DB51C: 3804FFFF subi r0,r4,1
806DB520: B0030000 sth r0,0(r3)
806DB524: 48000010 b 0x806db534
806DB528: 38800010 li r4,16
806DB52C: 7CC53378 mr r5,r6
806DB530: 4BFF617D bl 0x806d16ac
806DB534: 801E0008 lwz r0,8(r30)
806DB538: 54030034 rlwinm r3,r0,0,0,26
806DB53C: 907E0008 stw r3,8(r30)
806DB540: 801F0004 lwz r0,4(r31)
806DB544: 7C600378 or r0,r3,r0
806DB548: 901E0008 stw r0,8(r30)
806DB54C: 801F0000 lwz r0,0(r31)
806DB550: 901E0004 stw r0,4(r30)
806DB554: 48000024 b 0x806db578
806DB558: 1C030058 mulli r0,r3,88
806DB55C: 3C8080B8 lis r4,-32584
806DB560: 80842720 lwz r4,10016(r4)
806DB564: 7CA40214 add r5,r4,r0
806DB568: 8085003C lwz r4,60(r5)
806DB56C: 80A50040 lwz r5,64(r5)
806DB570: 7FE6FB78 mr r6,r31
806DB574: 4BFFFCD9 bl 0x806db24c
806DB578: 83E1000C lwz r31,12(r1)
806DB57C: 83C10008 lwz r30,8(r1)
806DB580: 80010014 lwz r0,20(r1)
806DB584: 7C0803A6 mtlr r0
806DB588: 38210010 addi r1,r1,16
806DB58C: 4E800020 blr
[/spoiler]
Call Stack
806DB550 (see function above)
806E3E28 (WTF an error occured with copy function: "Could not find continue searching?" Then I´ll just copy)
[spoiler]
806E3E20: 80A10244 lwz r5,580(r1)
806E3E24: 38A50008 addi r5,r5,8
806E3E28: 4BFF7649 bl 0x806db470
806E3E2C: 80610244 lwz r3,580(r1)
806E3E30: 38030008 addi r0,r3,8
806E3E34: 90010244 stw r0,580(r1)
806E3E38: 4BFFCC08 b 0x806e0a40
806E3E3C: 80610244 lwz r3,580(r1)
806E3E40: 38030008 addi r0,r3,8
806E3E44: 90010244 stw r0,580(r1)
806E3E48: 80810238 lwz r4,568(r1)
806E3E4C: 1C1A0014 mulli r0,r26,20
806E3E50: 387931D8 addi r3,r25,12760
806E3E54: 7C83012E stwx r4,r3,r0
806E3E58: 8081023C lwz r4,572(r1)
806E3E5C: 1C7A0014 mulli r3,r26,20
806E3E60: 381931D8 addi r0,r25,12760
806E3E64: 7C601A14 add r3,r0,r3
806E3E68: 90830004 stw r4,4(r3)
806E3E6C: 80810240 lwz r4,576(r1)
806E3E70: 1C7A0014 mulli r3,r26,20
806E3E74: 381931D8 addi r0,r25,12760
806E3E78: 7C601A14 add r3,r0,r3
806E3E7C: 90830008 stw r4,8(r3)
806E3E80: 80810244 lwz r4,580(r1)
806E3E84: 1C7A0014 mulli r3,r26,20
806E3E88: 381931D8 addi r0,r25,12760
806E3E8C: 7C601A14 add r3,r0,r3
806E3E90: 9083000C stw r4,12(r3)
806E3E94: 80810248 lwz r4,584(r1)
806E3E98: 1C7A0014 mulli r3,r26,20
806E3E9C: 381931D8 addi r0,r25,12760
806E3EA0: 7C601A14 add r3,r0,r3
806E3EA4: 90830010 stw r4,16(r3)
806E3EA8: 387701E0 addi r3,r23,480
806E3EAC: 80810244 lwz r4,580(r1)
806E3EB0: 80040004 lwz r0,4(r4)
806E3EB4: 5400103A rlwinm r0,r0,2,0,29
806E3EB8: 3C808094 lis r4,-32620
806E3EBC: 38848490 subi r4,r4,31600
806E3EC0: 7C84002E lwzx r4,r4,r0
806E3EC4: 4CC63182 crclr 6,6
806E3EC8: 4BF29DE5 bl 0x8060dcac
806E3ECC: 7C641B78 mr r4,r3
806E3ED0: 7F43D378 mr r3,r26
806E3ED4: 38A00000 li r5,0
806E3ED8: 48006275 bl 0x806ea14c
806E3EDC: 7F43D378 mr r3,r26
806E3EE0: 7FC4F378 mr r4,r30
806E3EE4: 4BFF792D bl 0x806db810
806E3EE8: 908101AC stw r4,428(r1)
806E3EEC: 906101A8 stw r3,424(r1)
806E3EF0: 80810244 lwz r4,580(r1)
806E3EF4: 94640008 stwu r3,8(r4)
806E3EF8: 800101AC lwz r0,428(r1)
806E3EFC: 90040004 stw r0,4(r4)
806E3F00: 80610244 lwz r3,580(r1)
806E3F04: 8003000C lwz r0,12(r3)
806E3F08: 2C000006 cmpwi r0,6
806E3F0C: 40820044 bne- 0x806e3f50[/spoiler]
806E3E28 (same like above)
Registers:
[spoiler] CR:42000888 XER:20000000 CTR:806E3DC8 DSIS:02400000
DAR:81362E64 SRR0:806DB550 SRR1:0000B032 LR:806E3E2C
r0:00000003 r1:900EA0E8 r2:802459C0 r3:00129540
r4:00000002 r5:8132BC80 r6:00000000 r7:00000000
r8:81362E60 r9:000012BA r10:81362E60 r11:900EA0F8
r12:81376710 r13:80244680 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:00000000
r20:80B8D5C0 r21:81361B80 r22:808A8BE8 r23:809389C0
r24:80B82730 r25:80B92730 r26:00000000 r27:00000000
r28:00001301 r29:00000024 r30:81362E60 r31:80B8D5C0
f0:3FE70A3D f1:3FF33333 f2:71BF21E4 f3:42EA0000
f4:00000000 f5:3F800000 f6:00000000 f7:00000000
f8:C1700000 f9:41700000 f10:C1700000 f11:41700000
f12:43500000 f13:00000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:BF800000 f30:59800004 f31:3A83126F[/spoiler]
--------------------------------------------------------------------------------------
If anybody is able to clear this issue, I´ll send him the game "Mario Party 8 PAL" to his house, because I don´t ever plan to play it again!
(worth 40 euros for one fricking code, I´m serious)
Why I should do this? This code seems unhackable for me, seeing the solution would make me very happy,
because any attempts on ASM RAM writes are just crash the game... (see first post)
What should the code do? What game is this for?
Quote from: Nutmeg on March 06, 2011, 07:53:00 AM
What should the code do? What game is this for?
I've got the PAL game. Is yours NTSC?
What will the code be for?
does this 806DB530: 4BFF617D bl 0x806d16ac load the r31?
or is it from the beginning 806DB488: 7CBF2B78 mr r31,r5
It looks to me that register 0 loads r31 which would be an address... This address seems to be in direct relation to the break point's assembly line.
Perhaps
Game? Call Of Duty Black Ops Wii
Region? PAL
What? Modify rounds in Zombie Mode (Offline!)
The rounds can be found with a mem80 equal search, then I took the right breakpoint read/write, which is matching with the adress.
[SOLVED]
The Winner is: Nutmeg
Congrats!